DEV Community

Cover image for Are you still exposing your Django SECRET_KEY?
KagemaNjoroge
KagemaNjoroge

Posted on • Originally published at njoroge.tomorrow.co.ke

Are you still exposing your Django SECRET_KEY?

Django settings.py contains the most sensitive information of your project. Hard coding key details such as SECRET_KEY,ALLOWED_HOSTS, database settings such database password, database host, database port, database username in your codebase is a security risk. In this article, we will discuss how to secure your Django SECRET_KEY by using environment variables and the python dotenv library. While I will focus on the SECRET_KEY, the same principles can be applied to other sensitive information in your Django project.

Why is the Django SECRET_KEY important?

Django uses the SECRET_KEY to provide cryptographic signing, protection against CSRF attacks, and other security features. If an attacker gains access to your SECRET_KEY, they can potentially compromise the security of your Django project. It is crucial to keep the SECRET_KEY confidential and secure.

Installing the python-dotenv library

The python-dotenv library allows you to load environment variables from a .env file into your Django project. To install the python-dotenv library, you can use pip:

pip install python-dotenv
Enter fullscreen mode Exit fullscreen mode

If you do have a requirements.txt file, you can add the python-dotenv library to it.

Creating a .env file

Create a .env file in the root directory(the same directory as manage.py) of your Django project. Add the SECRET_KEY to the .env file in the following format:

SECRET_KEY="your_secret_key_here"
Enter fullscreen mode Exit fullscreen mode

Adding the .env file to .gitignore

The .env file contains sensitive information, and you should not commit it to your version control system. To prevent the .env file from being accidentally committed, add it to your .gitignore file. Here is an example of how you can add the .env file to your .gitignore file:

# .gitignore
.env
Enter fullscreen mode Exit fullscreen mode

Loading the SECRET_KEY from the .env file

In your settings.py file, you will need to import the os and dotenv modules and load the SECRET_KEY from the .env file. Here is an example of how you can do this:

import os
from dotenv import load_dotenv

load_dotenv()
Enter fullscreen mode Exit fullscreen mode

load_dotenv() will load the environment variables from the .env file into your Django project. After reading from the .env file, load_dotenv() will update the os.environ dictionary with the key-value pairs from the .env file.

  • It is important to call load_dotenv() before accessing the SECRET_KEY in your settings.py file.

Accessing the SECRET_KEY in your settings.py file

Now that you have loaded the SECRET_KEY from the .env file, you can access it in your settings.py file using the os module:

SECRET_KEY = os.getenv('SECRET_KEY')
Enter fullscreen mode Exit fullscreen mode

By using os.getenv('SECRET_KEY'), you can access the SECRET_KEY value stored in the .env file. This ensures that the SECRET_KEY is not hard-coded in your codebase and is kept secure.

Please note the above steps can be applied to other sensitive information in your Django project.

Happy coding! 🚀🐍

Top comments (0)